Static NAT for DMZ hosts

pkpatel · ‎11-18-2011

Hello,

It has been a while since I last worked on firewall. Please take a look at info below.

INSIDE does not have access to Internet

Services/Servers in DMZ need to be accessible from Internet

CONFIG

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address X.X.X.46 255.255.255.240 standby X.X.X.45

!

interface Ethernet0/1

speed 1000

duplex full

nameif inside

security-level 100

ip address INSIDE.254 255.255.254.0 standby INSIDE.253

!

interface Ethernet0/2

!

interface Ethernet0/2.1

description LAN Failover Interface

vlan 20

!

interface Ethernet0/2.2

description STATE Failover Interface

vlan 30

!

interface Ethernet0/3

description DMZ INTERFACE

speed 100

duplex full

nameif dmz

security-level 100

ip address DMZ.254 255.255.255.0 standby DMZ.253

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

dns server-group DefaultDNS

domain-name CDGI.com

same-security-traffic permit inter-interface

access-list NAT0_INSIDE_DMZ remark NO NAT FROM INSIDE TO DMZ

access-list NAT0_INSIDE_DMZ extended permit ip INSIDE.0 255.255.254.0 DMZ.0 255.255.255.0

access-list OUTSIDE_TO_DMZ extended permit ip any host X.X.X.41

access-list OUTSIDE_TO_DMZ extended permit tcp any host X.X.X.41 eq www

access-list OUTSIDE_TO_DMZ extended permit icmp any host X.X.X.41 echo

access-list OUTSIDE_TO_DMZ extended permit icmp any host X.X.X.41 echo-reply

access-list OUTSIDE_TO_DMZ extended permit ip any host X.X.X.42

access-list OUTSIDE_TO_DMZ extended permit tcp any host X.X.X.42 eq www

access-list OUTSIDE_TO_DMZ extended permit icmp any host X.X.X.42 echo

access-list OUTSIDE_TO_DMZ extended permit icmp any host X.X.X.42 echo-reply

access-list NO-NAT-INTERNAL extended permit ip INSIDE.0 255.255.254.0 DMZ.0 255.255.255.0

access-list NO-NAT-INTERNAL extended permit ip INSIDE.0 255.255.254.0 192.168.254.0 255.255.255.0

access-list NO-NAT-DMZ extended permit ip DMZ.0 255.255.255.0 192.168.254.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu management 1500

ip local pool SSLCLIENT_IP_POOL 192.168.254.1-192.168.254.25 mask 255.255.255.0

failover

failover lan unit primary

failover lan interface FAILOVER Ethernet0/2.1

failover link STATEFUL Ethernet0/2.2

failover interface ip FAILOVER 172.31.254.254 255.255.255.252 standby 172.31.254.253

failover interface ip STATEFUL 172.31.254.250 255.255.255.252 standby 172.31.254.249

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (dmz) 0 access-list NO-NAT-DMZ

static (dmz,outside) X.X.X.41 DMZ.49 netmask 255.255.255.255

static (dmz,outside) X.X.X.42 DMZ.28 netmask 255.255.255.255

access-group OUTSIDE_TO_DMZ in interface outside

route outside 0.0.0.0 0.0.0.0 X.X.X.33 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

service resetoutside

ssh timeout 5

ssh version 2

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

inspect http

!

service-policy global_policy global

===========================================================================================

As you see above, config has ACL that allows traffic from Internet to DMZ and has static NAT. The hosts in DMZ are still not accessible.

Please help.

Thanks,

Paresh.

cadet alain · ‎11-18-2011

Hi,

For Inside to internet:

you have no global( outside) as well as nat(inside) configured.

nat(inside) 1 0 0

global(outside) 1 interface

For second part, I see no problem in the config, is it not working?

Regards.

Alain

Don't forget to rate helpful posts.

pkpatel · ‎11-18-2011

Hi Alain,

We don't need to allow INternet access from inside which is why "nat (inside) 1 0 0" is not configured. Also, I had put in "global (outside) 1 interface" and removed it later.

It still is not working.

Thanks,
Paresh.

cadet alain · ‎11-18-2011

Hi,

ok so what is not working then?

Regards.

Alain

Don't forget to rate helpful posts.

pkpatel · ‎11-18-2011

Hi,

NAT'd DMZ hosts should be accessible using HTTP using NAT's public IP addresses but they are not.

Thanks,
Paresh.

cadet alain · ‎11-18-2011

Hi,

Can you do a packet-tracer from outside to public IP with http and post result.

Regards.

Alain.

Don't forget to rate helpful posts.

pkpatel · ‎11-18-2011

Hi Alain,

We had to roll back. Firewall is not in production at the moment. I will collect the data during second attempt, TBD, and post it.

Thanks,
Paresh.